anonhaven
Ad

CVE-2026-3107

CRITICAL CVSS 4.0: 9.3
Updated Mar 31, 2026
PHP
Parameter Value
CVSS 9.3 (CRITICAL)
Affected Versions before 3.1.5.16
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor PHP
Public PoC No

Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, allowing malicious JavaScript payloads to be persistently stored in the database. When other users view the imported passwords, the payload is automatically executed in their browsers, resulting in a stored XSS condition at the endpoint 'redacted/index.php?page=items'.

Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of multiple users and the administrator, which can lead to session hijacking, credential theft, privilege abuse, and compromise of application integrity.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 1

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tea…
cve-coordination@incibe.es
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-5198

PHP

6.9

CVE-2026-5197

PHP

5.3

CVE-2026-5196

PHP

5.3

CVE-2026-3106

PHP

9.3

CVE-2025-41357

PHP

5.1